My second Comcast Xfinity ISP glitch: They fucked up my billing

When I placed my order for Comcast Xfinity Internet service I deliberately did not provide them with a credit card number. I knew this would cause the Comcast installer to ask for the information needed for Comcast to be paid. I did that because I prefer to pay my utilities from my checking account each month when I receive a bill.

The Comcast installer was great to work with. At the end of the process he asked me for my email address. I gave it to him. A test email was sent and I confirmed receipt of the message. I expected an email within the next month asking for payment. I didn’t receive any such email and due to daily life didn’t think anything of it. Fast forward two months.

Yesterday I received a phone call from someone representing Comcast asking why I haven’t paid my bill. I told them I had not received an electronic bill via email or a paper bill. They told me the bill had been sent to “my_comcast_user_id@comcast.net”. I basically said “WTF? I didn’t even know I had a Comcast email address.” Neither the Comcast web site nor the installer mentioned this email account and that I should check it for my bill. I had reasonably assumed that when the installer asked me for the email address I preferred for all messages from Comcast that things like bills for service rendered would be sent to that address. Silly me.

The Comcast call-center rep accepted payment for the first two months by credit card and said late fees would be waived. They said my email address was corrected and assured me Comcast would not automatically bill my credit card next month.

P.S., The Comcast call-center rep who called me about my delinquent account was very pleasant. I paid the two months of service with a credit card. The call-center representative assured me Comcast would not automatically bill that credit card in the future. If that turns out to be true I’ll be very happy and assume this incident was simply a mistake. If not I’ll do my best to make Comcast sorry they ever had me for a customer. I’m beginning to understand why Comcast is one of the most hated companies in America.

Update 2015-09-01: I logged into my.xfinity.com and clicked the link that took me to web.mail.comcast.net for my account. Comcast has sent me 19 email messages since I contracted with them for Internet connectivity. Since I explicitly told the person who made the physical connection that I wanted all emails to go to my personal domain and he confirmed that would happen I am extremely pissed off.

Holy Shit! I clicked on the Comcast web site “email preferences link”. It shows, as the most important option, having the Comcast email service import, on an ongoing basis, my email from other services such as Gmail, Yahoo, and AOL. Who in their right mind would use Comcast as their primary email address and interface if you already had another email address? You have to be savvy enough to click on the “Fowarding” header much further down which in turn requires clicking another link to “My Account” and jumping through a couple more hoops to establish your well established email address as the one you want Comcast to use when communicating with yourself. I could forgive this if it weren’t for the fact I had this conversation with the person who established the physical connection and they asked for my preferred email address.

Tony Perkins gives us another book about persecution of Christians

Just what the world needs — another book about how Christians in America are persecuted. Tony Perkins, head of the FRC (Family Research Council) just emailed me to inform me that I can pre-order his book “No Fear”. I love the first sentence of his email to me:

What could God do through you, if you had no fear of man?

Clearly the world needs more religious fanatics willing to martyr themselves by committing acts of terrorism so they can be rewarded with 47 virgins in paradise. Oh, wait, that’s the other “one true religion”. Still, it’s nice to know Mr. Perkins is doing his part to ensure Muslims don’t hold a monopoly on religious extremism.

Mr Perkins goes on to tell us what we’ll find in his book:

Containing stories of young Christians facing intense opposition, No Fear shows the dramatic influence one person can have as they stand resolute for biblical truth in the pursuit of fairness, justice, and compassion.

Hopefully he explains in the book how “biblical truth” differs from simple “truth”. But I suspect “biblical truth” just means “shit I pulled out of my ass.”

It is easy to edit video to make people opposed to Planned Parenthood look like they support it

The group Majority Ohio has created a video showing how easy it is to edit video footage to make it appear that “pro-life” supporters who are trying to shutdown Planned Parenthood actually support the organization:

It isn’t difficult to take sentences (or fragments) out of context and portray them to mean the opposite of what the speaker intended.

The irony is that if the forced-birthers get their way and Planned Parenthood didn’t exist there would be even more abortions. Regardless of what you think about abortion you should support Planned Parenthood. That so many people want to see the organization killed makes it obvious their real agenda isn’t about abortion. It’s about controlling peoples sexual activity and keeping sex something that is only done if you intend to create a person.

H/T Daily Kos

Just saw the trailer for the movie “The Martian” and it looks awesome

I just watched “Straight Outta Compton”. Which I highly recommend. But that isn’t the reason for this post.

The reason for this post is the trailer for “The Martian” which played before the movie. It looks awesome and has a fantastic cast. Best of all the trailer makes it clear the movie will hew closely to the book with a strong emphasis on reason, rationality, and respect for science. I can’t recommend the book highly enough and the movie looks like something I’ll probably watch twice in the theater.

My first Comcast ISP glitch: my IPv6 address changed for no reason and required manual intervention

Between 21:00 and 21:30 on 2015-08-17 (UTC-7) my primary server lost its public IPv6 address and my monitoring script started nagging me about the problem. The next morning I rebooted both my public facing router and my primary server. Neither action restored my IPv6 address.

After several more hours I decided to power-cycle my NetGear cable modem. I did not power-cycle or do anything else to my public facing router or primary server. Simply power-cycling my cable modem resulted in a new IPv6 address being assigned. The assigned IPv4 address was unchanged.

My IPv6 network prefix changed from 2601:647:4380:d0::/64 to 2601:647:4380:48::/64. I do not care that my IPv6 address changed. I do care that the change did not automatically propagate to my router and downstream hosts and required manual intervention. It is also obnoxious that my IPv6 address changed but my IPv4 address did not change. If this happens more than twice a year I’m going to be extremely unhappy. Despite my ADSL speed problems with AT&T/Sonic.net that caused me to switch to Comcast I never experienced a problem of this nature with those companies.

An interesting attack on my web server: “POST /” with seemingly nonsense data

Today a system in Serbia issued a “POST / HTTP/1.1” request to my web server. The data consisted of a seemingly nonsensical sequence of key/value pairs separated by ampersands. This first one was this:

n764b3b=ZWNobyAnMW9rMScuIlxuIjtleGl0Ow

All of the subsequent key/value pairs had the same value. Here are the keys:

n764b3b n828e00 n318a65 nbc8a20 n9e5e25
n22ec2b ndfbe75 n0e7f9c n9e5e25 n95e668
ne91e7a n4a90f1 n39d576 n13e558 nd6e706
n33beb2 nc06699 n78cd5a nb78204 nd335c3
nf03a5d n93bc3c n55d3bf n81977d nf26eee
n036581 n108fc5 nb89d65 nfb8c26 n46b398
n01b955 n92001e n1c1ae6 n93bc3c n760097
n23f412 nbc8a20 n59a097 n5388ff n8f249d
n9e5e25 n95e668 n93bc3c

A Google search suggests that WordPress might have used those keys as nonces. See this WordPress forum thread as an example. Other search results suggest the keys are PHP bytecode operators. Which suggests that this attack is trying to execute pre-compiled (i.e., bytecode) PHP. Sadly, a search for the value “ZWNobyAnMW9rMScuIlxuIjtleGl0Ow” didn’t yield any results.

I’m not sufficiently motivated to dig into this any further since I never allow POST requests to the root document of my web server and am thus immune to this attack. Nonetheless, I would love to hear from someone who can shed more light on what this attacker is trying to accomplish.

Why am I suddenly seeing attacks against the WordPress imgmanager plugin?

In the past three days I’ve seen multiple attacks against an ancient (i.e., 2.5 year old) security hole in the Joomla imgmanager plugin you can find documented here. The attacks came from a Thailand ISP and a Russian cloud service provider. The attacks start with a request similar to this one:

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1

The POST content attempts to create a file named bogel.gif that contains a PHP program that was compressed, rot13 encoded, then base64 encoded.

It amazes me that hackers are wasting time on ancient security flaws with a low probability of succeeding. It’s amazing because doing so tells the world the source of the attack should be blacklisted thus making it useless for more productive attacks. Perhaps that says something about how bad the defenses are for the typical web site. Personally, I have a zero tolerance, one strike and your blacklisted for three months, policy. And the three month interval restarts every time I see another request from the source. If more sites had similar policies it might exert some pressure on ISPs and VPS/cloud computing providers to actually deal with malware.

I’m also extremely pissed off that WordPress doesn’t report a meaningful error when a bogus plugin request is handled. I say bogus because in every case I’ve seen it’s been to a plugin that isn’t installed on my system. So I’m just going to blacklist all attempts to POST /index.php (as well as any other path ending in /index.php). If and when I ever install a plugin that I want to allow POSTing to I’ll explicitly whitelist it.

70 years ago the nuclear nightmare begins

The following movie came to my attention thanks to Phil Plait’s Bad Astronomy blog. Since today is the 70th anniversary of America’s bombing of Hiroshima the following video showing when and where nuclear explosions have occurred from 1945 to 1998 is relevant and sobering.

I was born in 1961 and remember “duck and cover” drills at school. When going shopping at the local mall or department store meant looking for the nuclear civil defense fallout shelter signs indicated you should go in the event of a nuclear explosion. I didn’t know anyone who had a bomb shelter in their back yard but it was certainly discussed and magazines like Popular Mechanics had articles about building one. So when I watch todays GOP representatives argue against the Obama administration’s Iran nuclear agreement I think about stuffing the lot of them into a suburban backyard bomb shelter without food or water and padlocking the door.